Tech giants are raking in billions from our personal data while leaving us exposed to financial chaos. Our information is stolen regularly, and we’re left paying for their mistakes.
Major corporations have built business models using our data, often without us knowing who has our information and how it’s used. They’ve appointed themselves stewards of our data with barely any oversight, assuming liability for breaches because the consequences are laughable. They get rich, cybercriminals make fortunes, and we’re left holding the bag.
Criminals turn stolen information into fake lines of credit and steal government benefits, wreaking havoc on people’s lives. More than 1 in 5 Americans will fall victim to identity theft in their lives. The FTC reports that victims are out $1,500 to $4,800 on average, not to mention the 200 to 600 hours of their lives spent trying to restore their identity. Some never fully recover, facing wrongful arrests, no-fly lists, and denial of credit applications.
On Aug.16, National Public Data (NPD), a consumer data broker, reported a breach that exposed 2.7 billion to 2.9 billion personal records. This breach could impact most, if not all, Americans. Talk about a trust-shattering event.
Sure, we’ve got the Gramm-Leach-Bliley Act from 1999 that promises data security in financial institutions, but no laws effectively regulate other types of companies. The SEC holds public companies accountable, but enforcement is weak, and fines are often cheaper than implementing robust security measures. Without significant consequences, these self-appointed protectors of our information have no motivation to spend what it takes to protect us.
In contrast, the European Union’s General Data Protection Regulation (GDPR) legally defines personal data as individual property. GDPR is an outcome-focused framework that ensures data protection by design. Cisco’s 2023 Cybersecurity report indicates that data breaches have decreased by 40% in companies adhering to GDPR policies.
One major complaint about GDPR is its vagueness regarding security requirements. It mandates that organizations maintain data security but does not prescribe how they should do so. Companies are lobbying the EU for clearer guidelines to limit their liability.
Without significant financial consequences for breaches, data protection remains neglected. Cybersecurity incidents are common, yet individuals often can’t identify the source of their identity theft, leaving them without legal recourse.
Lawmakers can’t legislate a complete solution but can create consequences that outweigh the costs of proper security measures. Penalties should be significant and scaled according to an organization’s size and potential damage. This would encourage insurance companies to scrutinize cybersecurity practices more closely.
A “three-strikes” system could escalate penalties or ban data collection based on the frequency and severity of violations. Real risks must be introduced for organizations that cause widespread financial chaos for Americans.
Outcome-based regulation is more effective than prescriptive regulation. Instead of outdated checklists that companies use to hide behind compliance, this approach encourages ongoing improvement and innovation in security practices. It forces them to take their responsibilities seriously.
In this digital age, our identities have become commodities, carelessly guarded by those we trust. We often don’t know who has our information until it’s too late — when our credit is ruined and our reputations destroyed. We must demand more than symbolic gestures while being thrown to the criminal wolves.
It’s time for Congress to enact comprehensive, outcome-based data protection legislation that prioritizes Americans’ digital identities and financial futures. Our data is our personal property; it’s time our laws reflected that reality.
Devin Jones is chief operating officer of cybersecurity company Active Cypher.